Multinational Insurance Company Drives GDPR Readiness
Customer:
Multi-National Insurance CompanyChallenge:
- Ensure readiness for May 2018 EU General Data Protection Regulation (GDPR)
- Inconsistent IT landscape arising from history of mergers and acquisitions
- Records spread across multiple systems
Solution:
- Advisory, Design, Implementation and Managed Services for a GDPR Data Management and Minimisation Solution
- Architecture models and proprietary knowledge from the DXC Analytics practice
- Centralised orchestration engine to automate the identification, management and deletion of noncompliant Personal Data
Results:
- An automated manage-in-place, scalable approach which connects rather than collects
- Cross-system application of policy
- Defensible workflows to treat noncompliant data, including deletion, and the elimination of manual effort
Building trust, enabling analytics and driving innovation
The deadline for implementing the European Union’s General Data Protection Regulation (GDPR) is close enough now that the official body overseeing it features a countdown clock on its website. It’s a timeline that financial services and insurance companies are following closely. Described as one of the most important changes in data privacy regulation in recent history, GDPR enforcement begins on May 25, 2018.
Organisations failing to meet these new regulations will be liable for fines of up to 4 percent of annual global turnover, or €20 million. Fines may be levied if an organisation doesn’t have sufficient customer consent to process personal data, or if it violates the core concepts encapsulated in GDPR. Customer data is the critical focus for what financial organisations do with their data going forward.
So much to do, so little time
The senior management team at DXC Technology’s customer — a multinational insurance company with a diverse product and services portfolio — recognised the need for a rigorous strategy to govern the effective management and deletion of noncompliant data.
Ultimately, the company wanted to automate the process of managing and deleting noncompliant personal data, but to achieve this, several complicating factors had to be considered and resolved.
To begin with, the business rules that governed record management were complex. Examples included — but were not restricted to — the length of time a record had been held, the age of the individuals involved and the type of record. Plus, the company maintained multiple systems that were not consistently integrated or compatible.
This situation was due to a company-wide estate created partly through organic growth and digital transformations and compounded by diverse systems inherited from mergers and acquisitions. In addition, the business records themselves were spread across the estate — which meant that deleting a record in one system did not guarantee related content would be removed from all relevant systems.
An initial study by the customer’s team determined that the manual effort to identify and delete noncompliant data would take too long. Developing an automated system would enable it to meet its timeline, but the required skills and technologies didn’t exist in-house. To resolve this dilemma, the company called on DXC for help.
The DXC solution
DXC and the customer built a strong collaborative relationship, involving open discussions about what was needed and market-leading advice from DXC on what a technology solution might look like.
“The DXC team reassured us from the beginning that they could implement a robust solution well within the time frame,” says the company’s GDPR programme lead. “What we found most encouraging was their approach to the challenge — not just as a mandatory regulatory task, but as a way of giving us the opportunity to trigger far more collaboration between our various business functions.”
DXC delivered its end-to-end Data Management and Minimisation Solution, which brought together key software tools and architecture models and proprietary knowledge from the DXC Analytics practice. DXC worked with customer teams from across the business to explore current data strategies and to identify the many locations where current data was held and how it could be used.
DXC’s approach to GDPR focuses on the fact that it is not sufficient to address only the exceptions (subject-access requests, requests for deletion, etc.). Businesses must demonstrate and execute proper day-to-day, “business as usual” processes, and not wait until they are challenged by customers. The GDPR principle of “protection by design” requires that data must be routinely deleted or access to it reduced, whenever that is practical.
After the initial design process, the working principle continued to be based on collaboration and agile delivery. DXC worked closely with the customer team to develop, build, test and deploy a solution in line with the customer’s requirements, budget and time scales. Following deployment, DXC transitioned the solution to an ongoing managed support service delivered from DXC’s Global Delivery Centre to ensure effective continuing management of the solution.
Automated, accurate aligned
The DXC Data Management and Minimisation solution has given the customer a centralised orchestration engine that automates the identification, management and deletion of noncompliant personal data across key systems, for both structured and unstructured data types.
DXC architected the solution to account for the customer’s complex business rules that need to be met before a record is eligible for deletion. Only once all the applicable business rules have been met would a record be deemed eligible for deletion. This coordination is a key feature of the DXC solution, as it provides the business with the assurance and justification to “defensibly delete” a record.
Once a record has been identified for deletion, and the customer has authorised it, the solution then cleanly deletes the record across all systems it resides on. DXC has also enabled the customer to maintain an audit trail to show all actions that have been taken. This history provides information on what, why, how and when data has been deleted from the customer’s systems. It provides the customer with key evidence regarding deletion of a record, should the company ever be challenged on it. From initial contact with DXC to implementation, the project took six months.
With the new, automated management system in place, the company has realised many benefits. Compared to what the company would have spent to manually identify records for deletion, the time and cost savings are significant. More importantly, the solution will continue to deliver benefits that go beyond one-time savings.
DXC’s Data Management and Minimisation offers a blueprint for the rest of the organisation to follow for information life-cycle management. The customer will be able to react quickly to future changes in data protection regulations, and it will enjoy a reduction in risk exposure to potential regulatory fines for holding noncompliant data.
Based on the success of the solution, the company’s GDPR lead says that other business units have begun to use it in different applications, including more effective test data management: “As an organisation, we are confident not just about the day GDPR comes into force, but also that we have a data-centric, customer-centric, diligent approach to information that will stand up to scrutiny whilst supporting more efficiencies within the company.”